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The Great Commoditization of IT has Begun 



• Economic Drivers 

- Pay as you go (or else) 
-CAPEXtoOPEX 

• Simplification 

- Simpler deployment 
-On-demand scaling 

• Disruptive Technology 
-Virtualization 
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- Ubiquitous network 
connectivity 
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But Security Remains a Significant Concern 



Drive-By Malware 



Rogue Administrator 



Weak passwords 



Man-in-the-Middle 



Zeus 



Data Leakages IP theft 



Melted perimeters 



Collapse of Roles 
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Multi-Tenancy & 
Data Mingling 

Identity Theft 
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D DOS Attacks 



SQL Injection 





Key-Loggers 








Major security issues are clou 


d specific, requiring cloud-specific solutions 
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Cloud-Oriented Security Still Missing 




• Security from the cloud: A/V, Email, Web, Auth... 

• Security within the cloud: honey pots, FS/IT-ISAC. 

• Security for the cloud: ??? 
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Security Needs to Rapidly Evolve 



STRONG AUTH 



DLP 



FEDERATION 




ENCRYPTION 




IRM 



IDENTITY 



INFORMATION 




ess Network & Device Centric, 
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The End of I.T. As We Knew It 



Central IT managed Datacenters 

Well defined perimeters 




Enterprise App 

Datacenter 



• Ownership 

- IT owns the desktop, the 
application, the network, the 
storage, the whole 
infrastructure 

• Control 

- G.R.C. policy spawning all the 
layers relatively easy in such 
centralized environment 
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The New World of IT: Distributed & Loosely Controlled 



Central IT managed Datacenters 
Wei! de fixed pexsneters 
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Ssi ic« consumption 



• Device 
Consumerization 

iy| • Applications 
become SAAS 
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Loss of control ??? 
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Frank 
IT Guy 



• Infrastructure 
moves to the cloud 
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^ everywhere: in the 

cloud and in 
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slider unmanaged devices 



New IT Controls Left? Identity & Information Security 
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TRUST is Actually the Larger Issue 



Policy 



Audits 



Security 



Compliance 



Privacy 




Assurance 



Reputation 



Reliability 
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The Cloud Needs a Trust Framework 



Apps 

(virtual i mages) 

Enterprise 



'We can set policies 

(cloud policy Mgt) 



"we can rely on a baseline" 

(PCIforihe cloud) 
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"We can verify" 

(cloud audrts& dashboard) 

Cloud Trust Brokering 



We can monitor SLAs" 

(SNMPforthe cloud) 




PAAS 



IAAS 

Cloud 



Trust Framework = New Trust Infrastructure + Policy 
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Start with Identity: It is the Lynchpin 



1995 



2011 



eCommerce 



Cloud 



Certificate 
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New Infrastructure 
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Security 

Standards Council 
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New Policy 




Trusted Front Door 
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The Need: ID Infrastructure + Trust Policy 
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New Infrastructure: Identity Broker 

Federation Broker 

Enable one single identity across all cloud services (corporate ID) 



One Corporate Identity (Federation Broker) 



Integration 



Policy Mgt. 



Enforcement 



Provisioning broker 



Authentication Broker 



Authorization Broker 



Integrates provisioning across all clouds Unifies authentication across all clouds Enforces access policy across all clouds 
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Example: Single Cloud Identity & Password Policy 



Trusted Identity 
Source Layer 



Authorization 
Layer 



Access 
Broker Layer 





ACCeSS UX (dash, links] 

d Access Policy Engine 




HTTP 
Redirects 
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What About.... 




Our rogue administrator? 



v Symantec. 



Trust Through Information Protection 




DLP 



"Back-door" information security required 

- Need info sec technology (DLP, encryption) at cloud provider 

- Solves both the "rogue admin" and "local jurisdiction of data" 
challenges 

Yes, but where should we store the keys? 

- Keys better managed outside cloud provider 

- Identity broker eventually becomes key management broker 
(id->key) 
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Example: Cloud Information Rights Mgt. Strawman 



Scan, classify, encrypt 
based on local policy and 
remote user key 




Scan, classify 

Encrypt based on local policy 
using identity-based key 



Decrypt using identity-based key 

May ask broker for device, and 
location context before releasing 
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Trust Through Certification 



Vendors 
Apps 



Enterprise 
I A AS FA AS 
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Custom 

Enterprise 
Apps 
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PCI for the Cloud 

Information protection controls 

• At rest (DB/FS encryption & key mgt) 

• In transit (DLP, SSL) 

• Privileged access security 

• Strong Authentication 

• Vulnerability 

Network, system, application-level security 
holes 

• Audit 
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Trust Through Transparency (Auditing & Monitoring) 



• SIEM for the Cloud 
is needed 

• Many deployment 
alternatives 

• SIEM in the cloud 
for the cloud (front- 
door) interesting 

• Hard to scale: Highly 
distributed open 
source FS & 
databases likely 
relevant 
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SIEM for the Cloud 

+ Visibility: security events log & aggregation 

+ Intelligence: event indexing, search & correlation) 

+ Cloud compliance Reports 

+ Cloud Incident investigation & forensics 



Vendors 
Apps 
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Enterprise 
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Custom 

Enterprise 
Apps 



CITRIX 
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Eventually, "In Cloud We Trust" 



Identity Broker 



Information Protection 
Broker (Key Mgt.) 



SIEM for the Cloud 




PCI for the Cloud 



FRONTDOOR 

' Trust the identity (ID BROKER) 

■ Trust the information (Key Mgt BROKER) 

■ Trust but verify (SIEM) 

BACK-DOOR 

■ Trust the provider controls through 
certification 



New Trust Infrastructure & Certification for the Cloud 
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Conclusion: From Love to Trust 








■ TRUST IS KEY 
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Is the largest obstacle to cloud adoption. We need 










a trust framework (trust infrastructure and policy). 












- TRUST BROKERS TO EMERGE 








Trust brokers and certifications frameworks will 
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emerge like they did for eCommerce 15 years ago. 
■ NEW TRUST LAYER FOR THE CLOUD 
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The new cloud middleware is about trust and 
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security. It becomes critical infrastructure 
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Thank you! 




Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in 
the U.S. and other countries. Other names may be trademarks of their respective owners. 




This document is provided for informational purposes onl 
are disclaimed to the maximum extent allowed by law. Tr 


/ and is not intended as advertising. All warranties relating to the information in this document, either express or implied, 
e information in this document is subject to change without notice. 








^^^^^^^^^^H D 













